registry  /  amicus  /  1.9.0

amicus@1.9.0

Multi-model LLM Council + parallel AI window for Claude Code. Run structured council reviews across Gemini, GPT, DeepSeek and more — or fork a conversation to any model and fold the results back.

AI Security Review

scanned 12h ago · by lpm-firewall-ai

Install-time script mutates broad Claude/AI-agent control surfaces in the user's home directory. It installs package-supplied skills and registers an auto-latest MCP server without an explicit user-invoked setup step.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review; previous stored version diff introduced dangerous source
Trigger
npm install lifecycle postinstall
Impact
Claude Code/Desktop may automatically expose and follow package-supplied agent skills/tools after install, with future MCP execution delegated to npx -y amicus@latest mcp.
Mechanism
unconsented Claude skill and MCP registration
Attack narrative
On npm install, the package's postinstall script copies its own Claude skills into ~/.claude, registers an amicus MCP server in Claude Code and Claude Desktop configs, and uses an npx -y amicus@latest mcp command for future tool execution. This is lifecycle-triggered mutation of foreign/broad AI-agent control surfaces rather than a user-invoked setup flow.
Rationale
The source directly implements unconsented lifecycle writes into Claude skills and MCP config surfaces, which matches the firewall policy's blockable AI-agent control hijack category even though the planted content is product-aligned. No separate credential theft or data exfiltration was needed to establish the install-time control-surface hijack.
Evidence
package.jsonscripts/postinstall.jsscripts/setup-hooks.jsskills/sidecar/SKILL.mdskills/second-opinion/SKILL.mdsrc/mcp-server.js~/.claude/skills/sidecar/SKILL.md~/.claude/skills/second-opinion/SKILL.md~/.claude/skills/second-opinion/COUNCIL-DESIGN.md~/.claude/skills/second-opinion/MODEL-NOTES.md~/.claude.json~/Library/Application Support/Claude/claude_desktop_config.json%APPDATA%/Claude/claude_desktop_config.json~/.config/claude/claude_desktop_config.json.git/config core.hooksPath

Decision evidence

public snapshot
AI called this Malicious at 97.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for block
  • package.json runs postinstall: node scripts/postinstall.js
  • scripts/postinstall.js copies package skills into ~/.claude/skills/sidecar and ~/.claude/skills/second-opinion
  • scripts/postinstall.js registers an MCP server in Claude Code via claude mcp add-json --scope user
  • scripts/postinstall.js edits ~/.claude.json and Claude Desktop claude_desktop_config.json fallback paths
  • MCP config uses command npx args ['-y','amicus@latest','mcp'], creating a standing auto-latest agent tool registration
  • scripts/setup-hooks.js can set git core.hooksPath from postinstall when install occurs in a git checkout
Evidence against
  • Postinstall is best-effort and has AMICUS_SKIP_POSTINSTALL=1 guard
  • No credential exfiltration or destructive payload found in inspected install path
  • Installed skill/MCP content is product-aligned multi-model sidecar functionality
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 134 file(s), 821 KB of source, external domains: aistudio.google.com, api.anthropic.com, api.deepseek.com, api.openai.com, console.anthropic.com, generativelanguage.googleapis.com, nodejs.org, openrouter.ai, platform.deepseek.com, platform.openai.com, www.w3.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/amicus.jsView file
13try { L14: const { migrateLegacyConfigDir } = require('../src/utils/config'); L15: const _m = migrateLegacyConfigDir();
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/amicus.jsView on unpkg · L13
scripts/postinstall.jsView file
5Install-time AI-agent control hijack evidence: L5: * L6: * 1. Copies SKILL.md to ~/.claude/skills/sidecar/ L7: * 2. Registers MCP server in Claude Code (~/.claude.json) L8: * 3. Registers MCP server in Claude Desktop/Cowork config ... L37: function skillsRoot() { L38: return path.join(os.homedir(), '.claude', 'skills'); L39: } ... L70: L71: if (!existing.mcpServers) { existing.mcpServers = {}; } L72: L73: const prev = existing.mcpServers[name]; L74: const nextConfig = (prev && isAmicusMcpConfig(prev)) ? { ...prev, ...config } : config; Payload evidence from skills/sidecar/SKILL.md: L41: 1. **ALWAYS launch amicus CLI commands with the Bash tool's `run_in_background: true`.** Never run `amicus start/resume/continue` in the foreground. L42: 2. **The fold summary returns on stdout** when the user clicks Fold in the GUI or the headless agent finishes. Use TaskOutput to read it when the background task completes. L43: 3. **For long or multi-line briefings, write them to a temp file and pass `--prompt-file <path>`** (mutually exclusive with `--prompt`; avoids shell-quoting hazards and argument-si... ... L82: **Step 1: Get an OpenRouter API key** L83: - Sign up at https://openrouter.ai …
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.jsView on unpkg · L5
src/sidecar/electron-install.jsView file
matchType = normalized_sha256 matchedPackage = amicus@1.7.7 matchedPath = src/sidecar/electron-install.js matchedIdentity = npm:YW1pY3Vz:1.7.7 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/sidecar/electron-install.jsView on unpkg
src/sidecar/unzip.jsView file
matchType = normalized_sha256 matchedPackage = amicus@1.7.7 matchedPath = src/sidecar/unzip.js matchedIdentity = npm:YW1pY3Vz:1.7.7 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/sidecar/unzip.jsView on unpkg
src/sidecar/setup-window.jsView file
matchType = normalized_sha256 matchedPackage = amicus@1.7.7 matchedPath = src/sidecar/setup-window.js matchedIdentity = npm:YW1pY3Vz:1.7.7 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/sidecar/setup-window.jsView on unpkg
src/opencode-client.jsView file
matchType = normalized_sha256 matchedPackage = amicus@1.7.7 matchedPath = src/opencode-client.js matchedIdentity = npm:YW1pY3Vz:1.7.7 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

src/opencode-client.jsView on unpkg
src/mcp-server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = amicus@1.8.1 matchedIdentity = npm:YW1pY3Vz:1.8.1 similarity = 0.917 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/mcp-server.jsView on unpkg

Findings

1 Critical6 High5 Medium4 Low
CriticalAi Agent Control Hijackscripts/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighKnown Malware Source Similaritysrc/sidecar/electron-install.js
HighKnown Malware Source Similaritysrc/sidecar/unzip.js
HighKnown Malware Source Similaritysrc/sidecar/setup-window.js
HighKnown Malware Source Similaritysrc/opencode-client.js
HighPrevious Version Dangerous Deltasrc/mcp-server.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/amicus.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings